Add GitHub token authentication to Makefile downloads

[stuggi]

Fixes GitHub rate limiting issues in CI by automatically using GITHUB_TOKEN when available for downloads from GitHub (raw.githubusercontent.com and github.com/releases). Falls back gracefully to unauthenticated downloads when no token is present, maintaining compatibility with local development.

E.g seen in https://github.com/openstack-k8s-operators/openstack-operator/actions/runs/15896190926/job/44828209996, force-bump actions can fail with github rate limit:

Run make bindata
  make bindata
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
test -s /home/runner/work/openstack-operator/openstack-operator/bin/kustomize || { curl -Ss "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s -- 5.5.0  /home/runner/work/openstack-operator/openstack-operator/bin; }
Github rate-limiter failed the request. Either authenticate or wait a couple of minutes.
make: *** [Makefile:319: /home/runner/work/openstack-operator/openstack-operator/bin/kustomize] Error 1

Updated targets:

• kustomize (install script)
• yq (binary release)
• kuttl (binary release)
• operator-sdk (binary release)
• opm (binary release)
• golangci-lint (install script)

Usage in CI: export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
Local dev: no changes required

Jira: OSPRH-17779

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

This change depends on a change that failed to merge.

Change openstack-k8s-operators/openstack-k8s-operators-ci#137 is needed.

[stuggi]

/retest

[stuggi]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/15cfbf7a78af45b6bc7dfac4cbb2de3f

❌ openstack-k8s-operators-content-provider FAILURE in 6m 03s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[ratailor]

shouldn't we use $ instead of $$ if we want to access variable value. IIUC the later would return PID of running process.

[stuggi]

because its a Makefile to access environment variables we have to use $$. To pass a literal $ to the shell, you must escape it from make's interpretation by doubling it.

[stuggi]

/retest

[stuggi]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/337bf767273d4552a4e1bfc90e84c9a3

❌ openstack-k8s-operators-content-provider FAILURE in 6m 02s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/c61e973987134767af4a48a2b5fdfc5f

❌ openstack-k8s-operators-content-provider FAILURE in 5m 59s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1fbc4d5c57184b84ac0dd0a06ce0d7b8

❌ openstack-k8s-operators-content-provider FAILURE in 7m 46s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8f8f1f56e538465bb972663e0dcd2f97

❌ openstack-k8s-operators-content-provider FAILURE in 5m 54s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[stuggi]

looks like ci-framework is calling the make command in the wrong dir openstack-k8s-operators-ci?
https://logserver.rdoproject.org/df4/rdoproject.org/df4015a7b8cc4522ad7bcfa68f44d478/ci-framework-data/logs/ci_script_001_openstack_k8s_operators_ci.log

~/src/github.com/openstack-k8s-operators/openstack-k8s-operators-ci ~/ci-framework-data/artifacts
make: *** No rule to make target 'manifests'.  Stop.

comparing to a different job there it is
https://logserver.rdoproject.org/867/rdoproject.org/86758a08ecee4c7cab5b999d32c3ea5e/ci-framework-data/logs/ci_script_001_openstack_operator_call.log

~/src/github.com/openstack-k8s-operators/openstack-operator ~/ci-framework-data/artifacts
test -f go.work || GOTOOLCHAIN=go1.21.0 go work init
go: downloading go1.21.0 (linux/amd64)

[stuggi]

2025-07-24 05:37:54,168 p=26016 u=zuul n=ansible | TASK [operator_build : openstack-k8s-operators-ci - Call manifests dry_run={{ cifmw_operator_build_dryrun|bool }}, chdir={{ operator.src }}, output_dir={{ cifmw_operator_build_basedir }}/artifacts, script=make manifests] ***
2025-07-24 05:37:54,168 p=26016 u=zuul n=ansible | Thursday 24 July 2025  05:37:54 -0400 (0:00:00.036)       0:02:37.880 ********* 
2025-07-24 05:37:54,231 p=26016 u=zuul n=ansible | Follow script's output here: /home/zuul/ci-framework-data/logs/ci_script_001_openstack_k8s_operators_ci.log
2025-07-24 05:37:54,340 p=26016 u=zuul n=ansible | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: NoneType: None
2025-07-24 05:37:54,341 p=26016 u=zuul n=ansible | fatal: [localhost]: FAILED! => 
    changed: true
    msg: non-zero return code
    rc: 2
    stderr: ''
    stderr_lines: []
    stdout: |
      ~/src/github.com/openstack-k8s-operators/openstack-k8s-operators-ci ~/ci-framework-data/artifacts
      make: *** No rule to make target 'manifests'.  Stop.
    stdout_lines:
    - ~/src/github.com/openstack-k8s-operators/openstack-k8s-operators-ci ~/ci-framework-data/artifacts
    - 'make: *** No rule to make target ''manifests''.  Stop.'

[stuggi]

I have a depends-on on the openstack-k8s-operators-ci repo ... lets remove that.

Depends-On: https://github.com/openstack-k8s-operators/openstack-k8s-operators-ci/pull/137

[stuggi]

recheck

[stuggi]

/retest

[openshift-ci]

@stuggi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/openstack-operator-build-deploy-kuttl	7d679d0	link	true	/test openstack-operator-build-deploy-kuttl

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dprince]

Instead of automating it this way would it be better to just have the CI base container automatically add these dependencies via a Dockerfile? That way they won't be added repeatedly in each job. Also, the Makefile's for service operators would be simpler.

[stuggi]

Instead of automating it this way would it be better to just have the CI base container automatically add these dependencies via a Dockerfile? That way they won't be added repeatedly in each job. Also, the Makefile's for service operators would be simpler.

@dprince I have submitted PR [1] with the alternative approach to use a pre-build image with tools installed. One point I could see is that we need multiple images if we bump tool version, like golang, when we do the bump one service repo after each other.

will add hold on this until we decided which way to go

[1] openstack-k8s-operators/openstack-k8s-operators-ci#138

[stuggi]

closing in preference of openstack-k8s-operators/openstack-k8s-operators-ci#138